Skip to content

Commit 3d3af05

Browse files
jakebarkjakebark
authored
Merge pull request #22 from aws-samples/vpc
added vpc support
2 parents a673d58 + 9e22bfa commit 3d3af05

File tree

7 files changed

+54
-16
lines changed

7 files changed

+54
-16
lines changed

README.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -73,6 +73,12 @@ module "pipeline" {
7373
terraform_version = "1.5.7"
7474
checkov_version = "3.2.0"
7575
tflint_version = "0.48.0"
76+
77+
vpc = {
78+
vpc_id = "vpc-011a22334455bb66c",
79+
subnets = ["subnet-011aabbcc2233d4ef"],
80+
security_group_ids = ["sg-001abcd2233ee4455"],
81+
}
7682
7783
tags = join(",", [
7884
"Environment[Dev,Prod]",
@@ -109,6 +115,8 @@ module "pipeline" {
109115

110116
`tflint_version` controls the [tflint](https://github.com/terraform-linters/tflint) version. It defaults to 0.48.0.
111117

118+
`vpc` configures the CodeBuild projects to [run in a VPC](https://docs.aws.amazon.com/codebuild/latest/userguide/vpc-support.html).
119+
112120
`tags` enables tag validation with [tag-nag](https://github.com/jakebark/tag-nag). Input a list of tag keys and/or tag keys and values to enforce. Input must be passed as a string, see [commands](https://github.com/jakebark/tag-nag?tab=readme-ov-file#commands).
113121

114122
`tagnag_version` controls the [tag-nag](https://github.com/jakebark/tag-nag) version. It defaults to 0.5.8.

codebuild.tf

Lines changed: 18 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ module "validation" {
1111
build_spec = "${each.key}.yml"
1212
log_group = aws_cloudwatch_log_group.this.name
1313
image = each.value
14+
vpc = var.vpc
1415
}
1516

1617
module "plan" {
@@ -22,6 +23,7 @@ module "plan" {
2223
build_spec = "plan.yml"
2324
log_group = aws_cloudwatch_log_group.this.name
2425
image = "hashicorp/terraform:${var.terraform_version}"
26+
vpc = var.vpc
2527
}
2628

2729
module "apply" {
@@ -33,6 +35,7 @@ module "apply" {
3335
build_spec = "apply.yml"
3436
log_group = aws_cloudwatch_log_group.this.name
3537
image = "hashicorp/terraform:${var.terraform_version}"
38+
vpc = var.vpc
3639
}
3740

3841
resource "aws_iam_role" "codebuild_validate" {
@@ -49,12 +52,10 @@ data "aws_iam_policy_document" "codebuild_validate_assume" {
4952
statement {
5053
effect = "Allow"
5154
actions = ["sts:AssumeRole"]
52-
5355
principals {
5456
type = "Service"
5557
identifiers = ["codebuild.amazonaws.com"]
5658
}
57-
5859
condition {
5960
test = "StringLike"
6061
variable = "aws:SourceArn"
@@ -69,12 +70,10 @@ data "aws_iam_policy_document" "codebuild_execution_assume" {
6970
statement {
7071
effect = "Allow"
7172
actions = ["sts:AssumeRole"]
72-
7373
principals {
7474
type = "Service"
7575
identifiers = ["codebuild.amazonaws.com"]
7676
}
77-
7877
condition {
7978
test = "StringEquals"
8079
variable = "aws:SourceArn"
@@ -109,7 +108,6 @@ data "aws_iam_policy_document" "codebuild" {
109108
"logs:CreateLogStream",
110109
"logs:PutLogEvents"
111110
]
112-
113111
resources = [
114112
"arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:*"
115113
]
@@ -122,7 +120,6 @@ data "aws_iam_policy_document" "codebuild" {
122120
"codebuild:UpdateReport",
123121
"codebuild:BatchPutTestCases"
124122
]
125-
126123
resources = [
127124
aws_codebuild_report_group.sast.arn
128125
]
@@ -134,7 +131,6 @@ data "aws_iam_policy_document" "codebuild" {
134131
"s3:GetObject",
135132
"s3:PutObject"
136133
]
137-
138134
resources = [
139135
"${aws_s3_bucket.this.arn}/*",
140136
]
@@ -151,6 +147,21 @@ data "aws_iam_policy_document" "codebuild" {
151147
"*"
152148
]
153149
}
150+
151+
dynamic "statement" {
152+
for_each = var.vpc == null ? [] : [var.vpc]
153+
content {
154+
effect = "Allow"
155+
actions = [
156+
"ec2:DescribeSecurityGroups",
157+
"ec2:DescribeSubnets",
158+
"ec2:DescribeVpcs"
159+
]
160+
resources = [
161+
"*"
162+
]
163+
}
164+
}
154165
}
155166

156167
resource "aws_codebuild_report_group" "sast" {

codepipeline.tf

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -106,12 +106,10 @@ data "aws_iam_policy_document" "codepipeline-assume-role" {
106106
statement {
107107
effect = "Allow"
108108
actions = ["sts:AssumeRole"]
109-
110109
principals {
111110
type = "Service"
112111
identifiers = ["codepipeline.amazonaws.com"]
113112
}
114-
115113
condition {
116114
test = "StringLike"
117115
variable = "aws:SourceArn"
@@ -142,7 +140,6 @@ data "aws_iam_policy_document" "codepipeline" {
142140
"s3:PutObjectAcl",
143141
"s3:PutObject"
144142
]
145-
146143
resources = [
147144
"${aws_s3_bucket.this.arn}",
148145
"${aws_s3_bucket.this.arn}/*"
@@ -155,7 +152,6 @@ data "aws_iam_policy_document" "codepipeline" {
155152
"codebuild:BatchGetBuilds",
156153
"codebuild:StartBuild"
157154
]
158-
159155
resources = [
160156
"arn:aws:codebuild:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:project/${var.pipeline_name}-*"
161157
]
@@ -171,7 +167,6 @@ data "aws_iam_policy_document" "codepipeline" {
171167
"codecommit:CancelUploadArchive",
172168
"codestar-connections:UseConnection"
173169
]
174-
175170
resources = [
176171
var.connection == null ? "arn:aws:codecommit:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${var.repo}" : var.connection
177172
]

eventbridge.tf

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -47,12 +47,10 @@ data "aws_iam_policy_document" "eventbridge_assume" {
4747
statement {
4848
effect = "Allow"
4949
actions = ["sts:AssumeRole"]
50-
5150
principals {
5251
type = "Service"
5352
identifiers = ["events.amazonaws.com"]
5453
}
55-
5654
condition {
5755
test = "StringEquals"
5856
variable = "aws:SourceAccount"
@@ -79,7 +77,6 @@ data "aws_iam_policy_document" "eventbridge" {
7977
actions = [
8078
"codepipeline:StartPipelineExecution"
8179
]
82-
8380
resources = [
8481
aws_codepipeline.this.arn
8582
]

modules/codebuild/main.tf

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,6 @@ resource "aws_codebuild_project" "this" {
2222
value = environment_variable.value
2323
}
2424
}
25-
2625
}
2726

2827
logs_config {
@@ -39,5 +38,15 @@ resource "aws_codebuild_project" "this" {
3938
insecure_ssl = false
4039
report_build_status = false
4140
}
41+
42+
dynamic "vpc_config" {
43+
for_each = var.vpc == null ? [] : [var.vpc]
44+
content {
45+
vpc_id = vpc_config.value.vpc_id
46+
subnets = vpc_config.value.subnets
47+
security_group_ids = vpc_config.value.security_group_ids
48+
}
49+
}
50+
4251
}
4352

modules/codebuild/variables.tf

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,3 +29,12 @@ variable "log_group" {
2929
variable "image" {
3030
type = string
3131
}
32+
33+
variable "vpc" {
34+
type = object({
35+
vpc_id = string
36+
subnets = list(string)
37+
security_group_ids = list(string)
38+
})
39+
default = null
40+
}

variables.tf

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -111,3 +111,12 @@ variable "tflint_version" {
111111
type = string
112112
default = "0.48.0"
113113
}
114+
115+
variable "vpc" {
116+
type = object({
117+
vpc_id = string
118+
subnets = list(string)
119+
security_group_ids = list(string)
120+
})
121+
default = null
122+
}

0 commit comments

Comments
 (0)